Hello community, here is the log from the commit of package fetchmail for openSUSE:Factory checked in at Mon Aug 10 17:49:34 CEST 2009. -------- --- fetchmail/fetchmail.changes 2009-07-03 09:59:58.000000000 +0200 +++ fetchmail/fetchmail.changes 2009-08-10 11:35:41.000000000 +0200 @@ -1,0 +2,37 @@ +Mon Aug 10 09:30:16 UTC 2009 - puzel@novell.com + +- add fetchmail-6.3.11-fix-invalid-free.patch + - fix https://bugs.gentoo.org/280760 + +------------------------------------------------------------------- +Sun Aug 9 12:43:26 CEST 2009 - coolo@novell.com + +- use new python macros + +------------------------------------------------------------------- +Thu Aug 6 11:35:50 UTC 2009 - puzel@novell.com + +- update to 6.3.11 + # SECURITY BUGFIXES + * CVE-2009-2666: SSL NUL prefix impersonation attack through NULs in a + part of a X.509 certificate's CommonName and subjectAltName fields. These + fields use opaque strings with a separate length field, so that the NUL + character isn't a special character inside the certificate. Fetchmail, being + written in the C language, used to treat these strings as C strings + nonetheless, so that the domain comparison would end at the first embedded NUL + character, rather than at the real end of the string. + Fetchmail will now abort certificate verification as failed if NULs are + encountered inside either of these fields regardless of their position, and + drop the connection even if --sslcertck is not used, because NUL is not a + valid character in legitimate DNS names. + See fetchmail-SA-2009-01.txt for details, including a minimal patch. + + # BUGFIXES + * Remove the spurious message "message delimiter found while scanning headers". + RFC-5322 syntax states that the delimiter is part of the body, and the body is + optional. + * Convert all non-printable characters in certificate Subject/Issuer + Common Name or Subject Alternative Name fields to ANSI-C hex escapes (\xnn, + where nn are hex digits). + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- fetchmail-6.3.10.tar.bz2 New: ---- fetchmail-6.3.11-fix-invalid-free.patch fetchmail-6.3.11.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fetchmail.spec ++++++ --- /var/tmp/diff_new_pack.jh87V0/_old 2009-08-10 17:41:49.000000000 +0200 +++ /var/tmp/diff_new_pack.jh87V0/_new 2009-08-10 17:41:49.000000000 +0200 @@ -1,5 +1,5 @@ # -# spec file for package fetchmail (Version 6.3.10) +# spec file for package fetchmail (Version 6.3.11) # # Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -29,13 +29,14 @@ License: GPL v2 or later ; Other uncritical OpenSource License ; Public Domain, Freeware Group: Productivity/Networking/Email/Utilities AutoReqProv: on -Version: 6.3.10 +Version: 6.3.11 Release: 1 Source: %{name}-%{version}.tar.bz2 Source1: %{name}.init Source2: %{name}.logrotate Source3: sysconfig.%{name} -Patch: fetchmail-6.3.8-smtp_errors.patch +Patch0: fetchmail-6.3.8-smtp_errors.patch +Patch1: fetchmail-6.3.11-fix-invalid-free.patch PreReq: %insserv_prereq %fillup_prereq coreutils pwdutils Url: http://fetchmail.berlios.de/ Icon: fetchmail.xpm @@ -87,7 +88,8 @@ %prep %setup -q -%patch -p1 +%patch0 -p1 +%patch1 -p0 cp -a %{S:1} %{S:2} %{S:3} . %build @@ -170,6 +172,6 @@ %defattr(-, root, root) %{_bindir}/fetchmailconf %doc %{_mandir}/man1/fetchmailconf.1.gz -%{py_sitedir}/fetchmailconf.* +%{python_sitelib}/fetchmailconf.* %changelog ++++++ fetchmail-6.3.11-fix-invalid-free.patch ++++++ --- socket.c.org 2009-08-08 16:01:49.000000000 +0200 +++ socket.c 2009-08-08 16:03:17.000000000 +0200 @@ -628,9 +628,10 @@ report(stdout, GT_("Unknown Issuer CommonName\n")); } if ((i = X509_NAME_get_text_by_NID(subj, NID_commonName, buf, sizeof(buf))) != -1) { - if (outlevel >= O_VERBOSE) + if (outlevel >= O_VERBOSE) { report(stdout, GT_("Server CommonName: %s\n"), (tt = sdump(buf, i))); - xfree(tt); + xfree(tt); + } if ((size_t)i >= sizeof(buf) - 1) { /* Possible truncation. In this case, this is a DNS name, so this * is really bad. We do not tolerate this even in the non-strict case. */ ++++++ fetchmail-6.3.10.tar.bz2 -> fetchmail-6.3.11.tar.bz2 ++++++ ++++ 8448 lines of diff (skipped) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org